6fbdaa6d5e497f78db70beec806e70ed82ff78c383edea45b7d56f10d3b5a1c6

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-08-2024 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
Size

281KB
MD5

c2416aec2747f03a912b07f0b7aa069a
SHA1

251ff482ec6470b0d69a70667fcc51a117bcc67b
SHA256

6fbdaa6d5e497f78db70beec806e70ed82ff78c383edea45b7d56f10d3b5a1c6
SHA512

1dc4c469220797b78d4c75993d183a16270ab3b575415dd75f56dad6b9401a7d108a5fc3fc1b2d30f5deadf52196c4121b44a1708587320d4ad76959e924e91f
SSDEEP

6144:7pcnH1hymlUEAsvK7ke5L3iFPwsj9CnL9R6jbKVCA7W5f1uHVOJ:7pYDycUEAWK7SCsj9kLnCAS9IVW

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\C2416A~1.EXE,"	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\userinit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\C2416A~1.EXE"	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\26e44d19 = "b\x1d†òÄÓ\x1b\x1c;\x16s\x1bÛ™\|~o\x01S§šŽÃc\x18Tîª‹tdO—\x04Ä\x05j3§\x19\nüâØkH<W\|¦Àþ…D–àFRÄ¥_(¿ñ\vFØ#NÑÜ¦\x04\x06,\vÍ\x16çÿy£\x1a\fÇç\t\x1a\x0f·êÏ\x7fîÇ·'o\x1e§¿\x17\x17J·xÇ—¯‚¸–§OÐOúVž'\x17ö\x0f7\x17ùç¸\x1f¿w\x7f\a’W‡g\u008fòçi‰™úŸYn_ùïI?Ú¯/¯¸n9hRú‡'g×‡ïW\x18§g™—!?¨ï/\x17)Vg÷&ð\x0e\x0fž§\x0fQð Á¢ùf^’š/—.8\a\u0081\x7f\x1f/v¦/?\x1f™âŠ7ï¯O‡Ö)\x7f¿¹þÿÇ¾gâ\x1f®\x7f\x1f‘‡xh2ÙŸ\x1e?xê†±x’\x17úÑßG"	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\C2416A~1.EXE"	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
Token: SeSecurityPrivilege	1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
Token: SeSecurityPrivilege	1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
Token: SeSecurityPrivilege	1152	c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c2416aec2747f03a912b07f0b7aa069a_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Modifies WinLogon
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1152-1-0x0000000000710000-0x000000000075F000-memory.dmp

Filesize
316KB

Download
memory/1152-0-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/1152-2-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1152-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1152-8-0x0000000002590000-0x0000000002642000-memory.dmp

Filesize
712KB

Download
memory/1152-4-0x0000000002590000-0x0000000002642000-memory.dmp

Filesize
712KB

Download
memory/1152-6-0x0000000002590000-0x0000000002642000-memory.dmp

Filesize
712KB

Download
memory/1152-14-0x0000000002590000-0x0000000002642000-memory.dmp

Filesize
712KB

Download
memory/1152-15-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/1152-12-0x0000000002590000-0x0000000002642000-memory.dmp

Filesize
712KB

Download
memory/1152-10-0x0000000002590000-0x0000000002642000-memory.dmp

Filesize
712KB

Download
memory/1152-16-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-18-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-20-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-42-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-48-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-43-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-44-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-45-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-61-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-46-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-78-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-47-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-49-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-50-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-51-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-52-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-53-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-54-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-55-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-56-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-80-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-86-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-85-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-84-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-83-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-82-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-81-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-79-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-77-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-76-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-75-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-74-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-73-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-72-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-71-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-70-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-69-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-68-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-67-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-66-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-65-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-64-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-63-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-62-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-60-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-59-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-58-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-57-0x0000000002790000-0x0000000002848000-memory.dmp

Filesize
736KB

Download
memory/1152-168-0x0000000000710000-0x000000000075F000-memory.dmp

Filesize
316KB

Download
memory/1152-169-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download